A naukri.com initiative
Infoblox
6d
12
Image Credit: Infoblox
Ransomware Spotlight – How Threat Actors use C2 and Data Exfiltration as Part of Double Extortion
- Ransomware attacks are on the rise and can have serious consequences, including costly downtime, data theft, and reputational damage. The average downtime after a ransomware attack is 22 days, costing companies an estimated $43.2 million. To increase pressure, cybercriminals have deployed double extortion ransomware, where data is stolen and held for ransom. DNS command and control (C2) is a popular communication method for ransomware, used to download the encryption key and execute malicious activities. DNS can also be used for data exfiltration where queries are sent to a malicious server, bypassing data loss prevention tools. DNS-based threat intelligence is a proactive solution to identify ransomware domains before they can be weaponized. Effective mitigation against ransomware involves detecting and blocking C2 communications and monitoring DNS for unusual patterns that may indicate data exfiltration.
- Ransomware attacks have become a significant concern for organizations worldwide, with the frequency and success of these attacks continuing to rise. Ransomware attacks can have devastating consequences for businesses, including costly downtime, data theft, and reputational damage. The average downtime and recovery time after a ransomware attack is 22 days, with a conservative estimate of the cost of downtime being $43.2 million.
- To increase the pressure on victims to pay the ransom, cybercriminals then started to resort to double extortion ransomware, where the attackers not only encrypt sensitive data but also steal the data and threaten to publish it on the dark web if the ransom is not paid.
- DNS C2 is a technique used by cybercriminals to communicate with malware that has infected a target system. Also called beaconing, the malware periodically sends DNS queries to the attacker’s server to check for new commands.
- In addition to using DNS to relay commands/data out of the organization, ransomware attacks, especially ones that are double extortion, as defined at the beginning of this blog, get hold of sensitive data, such as credit card data, and send this data out in DNS queries.
- Phishing, one of the most used delivery methods for ransomware, lure users to domains owned by threat actors. Proactive identification of such domains, even before they are weaponized, is something that DNS threat intel excels at, because it can identify when domains are registered for future malicious purposes and block them, on an average of 63 days ahead of attacks.
- By monitoring DNS traffic and using DNS threat intelligence, organizations can block the C2 communications, preventing the encryption key download and the eventual encryption of data.
- It is important that all DNS record types are examined (e.g.: A, AAAA, CNAME, MX, NS, SOA, TXT, etc.) because malware could use any or multiple of these record types to avoid detection by standard security tools.
- Proactive protection against ransomware is extremely important because once ransomware lands, organizations have only about an hour to detect, investigate and remediate to avoid a broader scale incident.
- Infoblox Threat Defense uses a combination of unique DNS threat intelligence and behavioral analysis, to disrupt and minimize the damage caused by ransomware attacks, while delivering precise protection with 0.0002% false positive rate.
Read Full Article
Like
For uninterrupted reading, download the app